The spam appears to come from within the victim's own domain (but doesn't). In case you don't recognise all those random letters, that's what an email attachment looks like.. but something has gone badly wrong with this spam run. I haven't analysed the payload, but it is likely to be Locky ransomware as found here.

Wednesday, 24 February 2016

This fake financial spam is not from IKEA, but it instead a simple forgery. I can only assume that it is meant to have a malicious attachment, but due to a formatting error it may not be visible.

From: DoNotReply@ikea.comDate: 24 February 2016 at 09:56Subject: Thank you for your order!

IKEA UNITED KINGDOM

Order acknowledgement:

To print, right click and select print or use keys Ctrl and P.

Thank you for ordering with IKEA Shop Online. Your order is now being
processed. Please check your order and contact us as soon as possible if
any details are incorrect. IKEA Customer Relations, Kingston Park,
Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015

Total cost:
£122.60

Delivery date: 24-02-2016

Delivery method: Parcelforce

We will confirm your delivery date by text,email or telephone within 72 hrs.

Order/Invoice number:607656390

Order time: 8:31am GMT

Order/Invoice date: 24-02-2016

Legal information
Please note that this email does not mean that we have accepted your
order and it does not form a binding contract. A contract will be formed
between You and IKEA at the time we dispatch your order to you, with
the exception of made to order sofas and worktops where order acceptance
occurs at the point when we send you our Delivery Advice email.

This is an email from IKEA Ltd (Company Number 01986283) whose
registered office address is at Witan Gate House 500-600 Witan Gate
West, Milton Keynes MK9 1SH, United Kingdom.
IKEA VAT Number: 527 7733 20
This email is your VAT receipt, please print a copy for your records.
IKEA Ltd does not accept responsibility for the accuracy or completeness
of the contents of this email as it has been transmitted over a public
network.

The intention here is either to drop the Dridex banking trojan or Locky ransomware. If you see an attachment, do not open it. The attachment is currently being analysed.

UPDATE

Third-party analysis confirms that the attachments are broken and will not work in many mail clients. However, if they did the payload would be identical to this.

In all the samples I have seen, the attachment is not formatted correctly and cannot be downloaded. Typically it will appears to be a 0 byte file with no name, but results might vary depending on the mail client.

After manually decoding the malware from the Base 64 section in the email, I found two distinct versions of the attachment (VirusTotal [1][2]) and the Malwr reports [3][4] show a malicious download from:

5.189.216.101/dropbox/download.php

The payload is the Dridex banking trojan (botnet 120) as described here.

I was not able to access the body text of this message. Note that the sender's email address varies slightly from message to message.

Attached is a file 398864 - Letter to recipient@domain.doc which contains the intended victim's email address. However - due to an error by the bad guys - none of the samples I have seen are downloadable.

The intended payload is probably the Dridex banking trojan, much like this.

Attached is a file Order_94602~1.doc which in all the samples I have seen has been attached incorrectly to the email, and it will either appear to be zero length or garbage. The payload is meant to be the Dridex banking trojan, but this is the latest of several incidents lately where the bad guys have screwed up. Shame.

Attached is a file S-STA-SBP CRE (0036).xls which is actually corrupt, due to a monumental failure by the bad guys. The payload is meant to be the Dridex banking trojan, but since Friday the attachments have been messed up and will either appear to be garbage or zero length. The payload itself should look similar to this one, also spoofing the same company.

Attached is a file INVOICE_F-160003834.doc which will appear to be corrupt because the MIME attachment is malformed (it will either appear to be zero length or it will be garbage). This is the second corrupt spam run today, it was meant to be delivering the Dridex banking trojan. A fuller analysis of the attempted payload can be found here.

Because the email has an error in it, the attachment cannot be downloaded or will appear to be corrupt. This follows on from a similar bunch of corrupt spam messages on Friday [1][2][3]. The payload is meant to be the Dridex banking trojan.

If you can get hold of the original message, then it should be possible to locate the faulty Base 64 section which has a leading space in it. Removing the space and decoding the Base 64 would generate the intended malicious message. Obviously, I don't recommend doing that unless who want to decode the malware..

UPDATE

A source (thank you!) tells me that the various versions of the document should download a binary from one of the following locations:

Saturday, 14 March 2015

By chance, I found out that my blog had been blacklisted by Quttera. No big deal, because it happens from time-to-time due to the nature of the content on the site. But I discovered that it isn't just my blog, but Quttera also block industry-leading sites such as Cisco, VMWare, Sophos, MITRE, AVG and Phishtank.

For example, at the time of writing the following domains are all blacklisted by Quttera (clicking the link shows the current blacklisting status):

Now, you can ask Quttera to unblacklist your site for free by raising a ticket but the most prominent link leads to a paid service for £60/year. Hmmm.

I don't think that I will rush to subscribe to that. Obviously, something is seriously wrong with the algorithm in use, some of these sites should obviously be whitelisted. Quttera also doesn't understand the different between a malicious domain or IP being mentioned and such a site being linked to or injected into a site.

I guess there are many, many more domains that are in a similar situation. Perhaps you might want to check your own web properties and share your findings in the comments?

This is to confirm that one or more items in your order has been shipped. Note that multiple items in an order may be shipped separately.

You can review complete details of your order on the Order History page

Thanks for choosing FedEx.

Order Confirmation Number: 0410493Order Date: 09/15/2013

Redemption Item Quantity Tracking Number Paper, Document 16 <

fedex.com Follow FedEx:

You may receive separate e-mails with tracking information for reward ordered.

My FedEx Rewards may be modified or terminated at any time without notice. Rewards points available for qualifying purchases and certain exclusions apply. For details and a complete listing of eligible products and services please read My FedEx Rewards Terms and Conditions .

Fax Message[Caller-ID: 697-377-6967] You have received a 28 page(s) fax at 2012-12-17
02:13:41 EST.* The reference number for this fax is
lax3_did10-1019412300-0003832668-11.This message can be opened using your PDF reader. If
you have not already installed j2 Messenger, download it for
free:http://www.j2.com/downloadsPlease visit http://www.j2.com/help if you have any
questions regarding this message or your j2 service.Thank you for using jConnect!Home
Contact Login2011 j2 Global Communications, Inc. All rights reserved.jConnect is a
registered trademark of j2 Global Communications, Inc.This account is subject to the
terms listed in thejConnect Customer Agreement.

Both the email and the attachment are horribly mangled, and in this case don't contain their malicious payload (as with this spam run). But be careful if receiving an email of this type as the next time the spammers try it, it may well be more dangerous.

Friday, 21 June 2013

This fake LexisNexis spam is meant to have a malicious attachment, but something has gone wrong. Nonetheless, the next time the spammers try it they will probably get it right.. so beware of any emails similar to this one that have an attachment larger than a couple of hundred bytes.

You can PAY YOUR BALANCE through the PowerInvoice please print the attached invoice and mail to the address indicated on the invoice statement. If you do not have Adobe Acrobat, please find a link to a free downloadable file at the end of this e-mail.

In this case the attachment is just 8 bytes and is harmless. Next time, it probably won't be..

Of note, the only link in the email goes to [donotclick]https://server.nepplelaw.com/owa/redir.aspx?C=430ed6e3b59a4a69b2d5653797c3e3d6&URL=http%3a%2f%2fwww.adobe.com%2fproducts%2facrobat%2freadstep2.html which is the sort of thing that happens to a URL when it goes through Outlook Web Access, in this case it would be on the server server.nepplelaw.com but I have no explanation as to why it is there, however it is harmless.

Thursday, 20 June 2013

This email from Moniker shows an impressive combination of WIN and FAIL at the same time.

www.moniker.com

Moniker

Moniker’s Operations & Security team has discovered and blocked suspicious activity on the Moniker network that appears to have been a coordinated attempt to access a number of Moniker user accounts.

As a precaution to protect your domains, we have decided to implement a system-wide password reset. Please read the below instructions to create a new password. You will not be able to access your Moniker account until these steps are taken.

In our security investigation, we have found no evidence that domains have been lost or transferred out. We also have no evidence that any confidential or credit card information has been compromised.

While our password encryption measures are robust, we are taking additional steps to ensure that your personal data and domains remain secure. This means that, to be absolutely sure of the security of your account, we are requiring all users to reset their Moniker account passwords.Please reset your password by following the directions below.

1) Go to Moniker.com and click the “Sign In” button in the upper right hand corner of the home page. Select the “Forgot Your Password” link.

2) You will be directed to a page to “Retrieve” your Moniker Account Password. When prompted, enter your account number and click “Submit”.

3) You will be directed to a page that displays the message below. You will receive an email from Moniker. Please follow the instructions in this email to complete the password reset.

As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your domains and personal data safe very seriously, and we're constantly enhancing the security of our service infrastructure to protect our customers. We feel it is also important to be clear that we view this as attempted illegal activity and have taken steps to report this to the appropriate authorities.

There are also several important steps that you can take to ensure that your data on any website, including Moniker, is secure:• Avoid using simple passwords based on dictionary words• Never use the same password on multiple sites or services• Never click on 'reset password' requests in emails that you did not request

Thank you for taking the time to read this email. We sincerely apologize for the inconvenience of having to change your password, but, ultimately, we believe this simple step will result in a more secure experience. If you have any questions, please do not hesitate to contact Moniker Support. Our support team is standing by to assist at 800-688-6311 or outside the U.S. and Canada: 954-607-1294.

Full disclosure and prompt action is a WIN. Shit happens, it's often how you deal with it that makes the difference. But wait.. where does the link in the email go to? t.lt02.net? Who the heck are they? And this is where a big dose of FAIL happens.

lt02.net belongs to a company called VertexInternet (vertex.net). This company is not related to Moniker, and bearing in mind that this email is about a potential security breach you might expect people to be a little bit cautious about clicking through those links.

To be fair, the body of the email does suggest going to "moniker.com" (i.e. typing it in the address bar). The mystery of lt02.net is easily explainable too.. VertexInternet run an email marketing system called Listrak which is what is being used to send out the email. The email is legitimate, and presumably it has been done this way for reasons of speed.. the problem is that many people will probably be highly suspicious of this email given the context and that this approach is often used by the Bad Guys.

If you are going to send out a message like this, make sure that all the links go to a site that the recipient would recognise. In this case the sensible option would be to link directly to moniker.com. I'm betting that quite a few people will ignore this message and then wonder why they cannot log into their accounts at a later date.

Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.

To view this document you need to use the Adobe Acrobat Reader.

-------------------------------------------------------------------------------This email has been scanned for viruses and spam.-------------------------------------------------------------------------------

The is an attachment called HP_Scan_06292013_398.zip. Obviously this is an attempt to deliver malware.. but the attachment is too small to have a payload. Initially I thought that it was some random part of somebody's security infrastructure stripping it off until I got a really clean copy.. and the ZIP file was just 8 bytes:

12 BA E8 AC 16 AC 7B AE

Another sample version looks like this, with just 6 bytes:

12 BA E8 AC 16 AC

Googling for 12BAE8AC16AC or 12BAE8AC16AC7BAE gets nothing at all (well, except it will now I've blogged about it). Weird, huh?

Friday, 20 April 2012

If you use Blogger, you'll know that it has a new interface. It's horrible. OK, the old interface was horrible but usable at the same time. This is just horrible, with the familiar looking elements seeming sprinkled at random over the new interface.

There are a lot of companies at the moment doing a similar thing.. making over their tried and tested (but tired) old software interfaces and coming up with something pastel-ly and awful. Or perhaps I'm just a Luddite?

Update: you can share your feedback on the Blogger forum which is full of similar complaints.

Business Owner/Manager,
One of your business customers has filed a complaint with The Better Business Bureau concerning the negative experience he had with your company. The consumer complaint is attached below. Please submit your response to this matter as within 21 days. The most efficient way to provide your response is by using the Online Complaint system. Please follow the following link to access the above-mentioned customer complaint and submit your response to it:
BBB complaint center

Use the following data to login:

Case ID: #2478119
Password: 65950

The Better Business Bureau acts in the role of a a neutral third party, and helps you resolve your customer disputes fast and efficiently. We develop and support online Reliability reports on American companies, open to the Public and used by millions of business customers. A satisfactory customer report can have a pronounced positive impact on your business.

We hope for your immediate attention to this matter.

Sincerely,
Kenyon Frye
Dispute Counselor

Except the idiot spammers have forgotten to include the domain name and have left if at what is presumably the default of domain.com:

Unfortunately, next time the spammers will probably get it right.. in the meantime, here are some example subjects being used in this attack:

Tuesday, 26 July 2011

paypal.de is pretty obviously a legitimate PayPal domain, registered to eBay and hosted on 66.211.168.83 in eBay's address space. However, Phishtank thinks that it is a phish.. well, OK, false positives happen.. but the problem here is that it has been manually verified as a phish which really does show a weakness in the Phishtank verification system. It's not the first time it has happened.

So, if you are in Germany and find that paypal.de is blocked, then this is the reason why.

Monday, 14 June 2010

hsbcnet.com is a valid and legitimate website belonging to HSBC. Traffic is redirected to this site from hsbc.net. The site itself is hosted on AS26381 63.111.163.110 which is delegated to an HSBC subsiduary called Household International from Verizon. The hsbcnet.com was registered in 1998 to a registrant with an hsbc.com web address:Registrant:HSBC One HSBC Center Floor 21 - HTS eBusiness Buffalo, NY 14203 US

Now, Phishtank does just allow any old user to mark a site as phishing. In this case, the site was submitted by a user called dvk01 and then verified by SEVEN other people as a phish - stuartgrantknackNotBuyingItcybercrimemarcoadfoxAminoftheGeezer - although some people have said that it isn't. As a result of this faulty groupthink, 71% of reports say that this legitimate site is a phish.

This false positive has now filtered down to OpenDNS and a number of other blocking services (e.g. Sophos) that are now erroneously blocking access to HSBC.

Don't get me wrong, Phishtank and other similar service can be very useful. But in this case it shows that Phishtank's verification process really doesn't work.. as any actual examination of the web site in question would surely identify is as legitimate.